Woolworths' $1M lesson from gift card blunder

Accidental data breaches might be the most dangerous

gift cards
Credit: 401kcalculator.org, CC BY-SA 2.0

When security consultants speak of the huge internal threat against retailers, they are generally talking about rogue employees. They fear the people on the inside of your firewalls who might exceed their level of access/authorization to steal data from the company and sell it on their own. Companies try and combat this with psychology profiles when screening potential employees, periodic spying on email conversations and — often talked about but, but rarely deployed — a greater level of supervision.

But this won't help if the employees are honest, but sloppy. In other words, accidental data breaches might be the most dangerous, in that it's clearly a company's fault and there are very few ways to prevent it. Case in point: A recent breach at Woolworths, the 933-store chain that is Australia's largest grocer, reporting revenues of $60.8 billion Australian (about $46 billion U.S.) last year.

On May 30, the chain emailed 7,941 shoppers vouchers they had just purchased. The oopsie here is that those emails included an Excel attachment listing the card number, expiration date and amount of the vouchers of the 7,940 other shoppers' gift cards. That information was enough to allow any shopper to use all of the other shoppers' cards. This forced the chain to scramble to quickly cancel $1,308,505 in vouchers.

The risk was not hypothetical. "As a result of the data leak, customers reported they had logged onto the Woolworths site on Saturday only to discover their vouchers had already been spent," reported The Sydney Morning Herald. "The data breach, which was discovered on Saturday morning, occurred after customers purchased the vouchers from the online savings site Groupon, which ran a deal last week offering BIG W eGift cards, valued at $200 and $100, at a 7.5 per cent discount. The cards were redeemable at Woolworths online and in store, Big W stores, and Caltex petrol stations."

This whole mess was presumably an accident. My cynical side points out that if a thief wanted to cover his/her tracks, the best way would be to get an accomplice in marketing to do something like this and to then have people standing by at the exact agreed-upon moment to start cashing out the numbers. But I'll put aside the cynicism for now and assume this was an accident. After all, how many among us have never sent someone the wrong attachment?

The mere existence of such a comprehensive document was asking for trouble. Why not have the system automatically reply to each customer with that customer's information? OK, the system probably compiles all card information into one spreadsheet, complete with expiration date and amount, and then someone manually prepares a batch of emails containing the relevant subset of data.

But someone should have gotten a heads up that something was wrong because this wasn't even the right kind of attachment. When shoppers made the Groupon purchase, they were told to expect a PDF with their electronic voucher, not an Excel spreadsheet.

It seems almost certain that this task was done with no supervision. It's easy to envision how someone could accidentally attach the wrong file. But if the message and file were sent to a supervisor for approval, there's a good chance the error would have been noticed.

This system compiled all data needed to cash out the cards in one place and gave it to a person who could directly transmit it to thousands of people with no second set of eyes. For an enterprise this large, does that seem to be a bit risky?

In the same way that cyberthief protections force IT to think like a thief, it's essential for IT to realistically project likely errors and put in place safeguards. For a problem this nasty, someone should be fired. But it's not the marketing person who sent the emails. It should be whoever signed off on this process in the first place.

Computerworld's IT Salary Survey 2017 results
Shop Tech Products at Amazon